WebAuthn Platform Enrollment Skip Behavior

snoozeEnrollment() and refuseEnrollmentOnThisDevice() fail to complete transaction when enrollment is triggered via api.authentication.enrollWith() in a Post-Login Action

Category: Multi-factor Authentication / WebAuthn / Actions

**Summary:**When WebAuthn platform enrollment is triggered programmatically via api.authentication.enrollWith({ type: 'webauthn-platform' }) in a Post-Login Action, neither snoozeEnrollment() nor refuseEnrollmentOnThisDevice() from the ACUL SDK are able to complete the login transaction when called from the Universal Login enrollment screen. Both methods result in the transaction failing and the user being unable to log in.

This appears to be because enrollWith creates a transaction context where Auth0 expects enrollment to be completed or explicitly refused at the policy level — but neither SDK method satisfies that requirement when enrollment is action-driven rather than policy-driven (progressive enrollment).

The only known workaround is calling reportBrowserError() with a synthetic error on skip, which signals a browser-side WebAuthn failure and allows Auth0 to continue the transaction without enrollment being completed. This suggests snoozeEnrollment() and refuseEnrollmentOnThisDevice() are only designed to work within Auth0’s native progressive enrollment flow, not action-triggered enrollment, and the documentation does not make this distinction clear.Ready to post? :magnifying_glass_tilted_right: First try searching for your answer.

Hi again @dhrupal.patel

I can see that you are experiencing similar issues posted in your previous topic regarding the skip behavior of the WebAuth enrollment. In order to address the more specific issues you have posted here:

You are reporting that when WebAuthn platform authenticator enrollment is triggered programmatically via api.authentication.enrollWith({ type: 'webauthn-platform' }) in a Post-Login Action, neither snoozeEnrollment() nor refuseEnrollmentOnThisDevice() from the Advanced Customizations for Universal Login (ACUL) SDK can complete the login transaction. Both methods result in transaction failure and the user being unable to log in, and the only workaround is calling reportBrowserError() with a synthetic WebAuthn error to signal a browser-side failure.

Root Cause: Auth0 does not officially support optional MFA enrollment with skip or snooze functionality when enrollment is triggered via api.authentication.enrollWith() in a Post-Login Action. When enrollWith() is called, it creates a mandatory enrollment transaction that Auth0 expects to be completed before the authentication flow can proceed. The ACUL SDK methods snoozeEnrollment() and refuseEnrollmentOnThisDevice() are designed to work only within Auth0's native progressive enrollment flow (where enrollment is policy-driven), not with action-triggered enrollment. These methods do not satisfy the transaction completion requirement imposed by enrollWith(), leaving the transaction in a failed state.

The reportBrowserError() workaround succeeds because it signals a WebAuthn API failure at the browser level, which Auth0 interprets as a legitimate technical reason to bypass the enrollment requirement and allow the transaction to complete. This is not an intended use of the method and should not be relied upon as a permanent solution.

Official Limitation: According to Auth0 support documentation, skipping MFA enrollment is not supported when MFA is enabled. The platform requires that when an enrollment is triggered, it must be completed before authentication can proceed. There is no tenant-side configuration, Login Flow Action, or MFA enrollment policy setting that can change this behavior when using enrollWith().

Recommended Alternatives:

  1. Use enrollWithAny() instead of enrollWith() — This method allows users to skip enrollment if they already have at least one other MFA factor enrolled. If the user has no other factors, they are still required to enroll in one of the available options, but they can choose which factor to use.

    Example:

    exports.onExecutePostLogin = async (event, api) => {
      if (event.user.enrolledFactors.length === 0) {
        api.authentication.enrollWithAny({ 
          factors: ['webauthn-platform', 'otp'] 
        });
      }
    };
  2. Use conditional logic to avoid triggering enrollment for specific users — Instead of calling enrollWith() for all users, check user metadata, group membership, or other conditions to determine whether enrollment should be prompted at all.

    Example:

    exports.onExecutePostLogin = async (event, api) => {
      if (event.user.app_metadata.requiresWebAuthnEnrollment) {
        api.authentication.enrollWith({ 
          type: 'webauthn-platform' 
        });
      }
    };
  3. Prompt users for enrollment outside the authentication flow — Implement enrollment as an optional, post-login user preference in your application rather than as a mandatory step during authentication. This allows users to enroll at their own pace without blocking login.
  4. Use tryAnotherMethod() from the ACUL SDK — If you are using a custom enrollment screen, the tryAnotherMethod() method allows users to switch to a different MFA factor, but this does not allow them to skip enrollment entirely.

What the documentation does not clarify: The ACUL SDK documentation for snoozeEnrollment() and refuseEnrollmentOnThisDevice() does not explicitly state that these methods only work with policy-driven progressive enrollment and will fail when enrollment is triggered via api.authentication.enrollWith() in a Post-Login Action. This distinction should be documented to prevent developers from attempting to use these methods in action-triggered scenarios where they are not supported.

Submitting feedback: If optional enrollment with skip/snooze functionality is required for your use case, Auth0 recommends submitting a feature request using the Auth0 Product Feedback page.

You might want to dig into these resources:

We hope this clarifies the limitation and provides a path forward for your implementation.

Kind Regards,
Nik